Healthcare organizations' employees pose cybersecurity risk

Despite the growth in ransomware and phishing attacks, including several well-publicized events that have resulted in data systems being held hostage, healthcare organizations are only moderately concerned that a breach will affect patient care, according to a new survey.

The study, conducted by HIMSS Analytics for telecommunications company Level 3 Communications, revealed that just one-third of those surveyed said they were very concerned that a security breach would affect patient care in 2017. Already this year, more than 1.7 million patient records have been affected by breaches.

"We thought there would be a higher level of concern," said Chris Richter, Level 3's senior vice president of global security services, "but there wasn't." That's because organizations think they're already doing enough to mitigate risk, he said. The HIMSS Analytics data somewhat mirrors concerns raised by a recent survey by KLAS Research and the College for Healthcare Information Management Executives, which found that fewer than half of surveyed organizations have a vice president or C-suite executive leading cybsecurity efforts, and just under two-thirds talk about security quarterly at board meetings.

As cyberattacks continue to grow more sophisticated, healthcare systems must continue to strengthen their security. Among other things, providers are turning to cyber threat intelligence, which aims to identify threats before breaches occur, and DDoS mitigation, according to the HIMSS survey. The KLAS-CHIME study showed that 55% of respondents rely on encryption to secure their networks, followed by antivirus/malware systems at 42%. Providers are also using following the National Institute of Standards Technology Cybersecurity Framework, a collection of security guidance for private sector companies.

Technologies aren't the only method of promoting cybersecurity—education is too. About 85% of those surveyed by HIMSS have security awareness programs in place. That makes sense, Richter said, since employee awareness and culture is the top security concern for respondents.

"Humans are the weakest link in security," Richter said, especially given how big a threat email phishing is. "Even the dumbest person in the organization gets an email address," Richter said, "so they're at risk."

And any successful phishing or ransomware attack can put patients at risk, especially if EHR data are compromised. "Without EHRs, not only can healthcare as a business not function, but also it could compromise the health of a patient," Richter said, adding that a single electronic health record is about 100 times more valuable than a single credit card record on the black market.

To protect that value, as well as other digital assets, healthcare organizations will continue to introduce cyber threat intelligence over the next year, according to the HIMSS survey. They'll also use technologies such as next-generation firewalls.

No matter what techniques they use, cost will be a factor, said Richter. More than 40% of respondents ranked budget as their top barrier to developing a comprehensive cybersecurity program. Overall, 74% ranked budget within their top three barriers. "The cost of security needs to be reined in. Anything that would drive the cost of healthcare up will come under a lot of scrutiny."